In the past, I believed as many of you do, that implementing a security program meant taking control of as many factors in the environment as possible. In 2009, when I read a paper by Microsoft Research's Cormac Herley that criticized this tactic, I was shocked and outraged. He argued that information security programs often focus too much on policies and procedures that don’t actually reduce risk and ultimately increase costs. At the time, I was a CSO like many others--scraping for resources in both staffing and budgets. The last thing I needed was resistance to the policies and procedures I tried to put in place.
I really thought implementing all these policies and procedures made a difference. I was under the misconception that I could prevent the majority of information security incidents by taking away capabilities and making authentication as difficult as possible. The results were predictable: Users wrote passwords on sticky notes stuck under keyboards, and executives got angry when email to their children was encrypted due to false positive detection of confidential information. I eventually realized Cormac Herley had a point.
Confidentiality, integrity and availability are the core pillars of information security taught to everyone who enters the field. Yet most information security programs focus on confidentiality and forget about availability. For example, a company I worked with implemented a host of Group Policy settings in Microsoft Active Directory. These settings, combined with the disk encryption software installed on laptop computers, yielded boot times for the users of almost 10 minutes. I found laptops with tape across the power button because employees did not want to accidentally reboot their computers.
I'm not saying that using Group Policy or full-disk encryption to secure the environment is the wrong approach. Quite the contrary--I believe strongly in the appropriate application of both of these technologies. Where this company went wrong was in failing to measure the impact of these changes on their environment and their business. The laptop hardware was mostly older and did not support the encryption features built into modern CPUs that would have reduced boot times. Active Directory was centralized and connected with low-speed, high-latency WAN connections that were inadequate for the rapid deployment of Group Policies.
There were two core issues that drove this company to rapidly deploy technologies without consideration for business impact. The first is that it had to meet specific deadlines for regulatory compliance or face stiff penalties. This is one of the side effects brought on by information security regulations: Companies are rushing to be compliant but are not necessary any more secure.
[Traditional security systems aren't doing much to help us manage risk, but we keep buying them. Read Michele Chubirka's examination of this phenomenon in "Security Snake Oil For Sale."]
The second issue is the fallacy that all risks can be identified and controlled. Technology is just moving too quickly for anyone to anticipate all of the potential risks to an environment. For example, passwords have often been a victim of technological advances. Strong passwords from just a few years ago are now cracked in less than a minute on a standard PC by pattern matching every possible combination with the corresponding hash. Password change frequency policies now offer little protection unless the password is changed every 2 minutes. The point is: A safe practice now may not be so in less than a year.
So should we just give up? Have we lost the war? Hardly; it's just time to change our tactics.
First, we must move our emphasis from prevention to detection. We must build our information technology systems with penetration in mind. I often compare this to designing a submarine where areas are compartmentalized to contain flooding. Our information technology systems need to be built with compartmentalization in mind to limit the damage from a security breach. This also puts us in a position to detect and resolve a security breach more quickly.
Second, we must design security systems that consider the impact on the business and limit the impact on productivity. Availability is just as important as confidentiality in information security. Users will be less likely to attempt work-a-rounds when security processes are transparent to them. There may even be times when productivity can be increased by using security technologies such as single sign-on. We must consider the full user experience when designing security systems in order to be successful.
It is not too late to change course. The Cormac Herley paper is still a good read for anyone that is interested in learning more about the productivity costs of implementing bad security. I’m sure there are going to be some information security pros who react in the same way that I did in 2009. But even they will recognize that it is time to stop punishing end users with bad security controls and move to a more proactive approach. Only by adopting compartmentalized systems with proactive monitoring will companies truly be ready for the modern threat environment.
[Hear how one CISO is shifting away from a prevention strategy and investing more in better visibility and response capabilities in "A CISO's Perspective: Enhancing Visibility and Response to Provide More Effective Information Risk Management and Security" at Interop New York this week.]